Do Not Call Registers: A Gift for Fraudsters?

Recently I have received many calls saying I am in serious legal trouble. Unusually, these calls are not from unscrupulous RAFM practitioners trying to dictate what I write about them on Commsrisk, but come from spammers trying to trick gullible members of the public into dialing them back. The calls are automated, and involve a machine reading a script that repeatedly tells me a phone number I am supposed to ring immediately, threatening unspecified legal consequences if I do not. Naturally I disregard the obvious lie, whilst trying to imagine which irresponsible scumbucket enterprise sold my telephone number to blatant fraudsters. Can anything be done to discourage such calls? Many countries have some kind of national do not call (DNC) register, used to capture phone numbers that legitimate marketeers should avoid dialing. But it is unlikely that fraudsters would respect such a register. On the contrary, new research by Merve Şahin and Aurélien Francillon of EURECOM found that the UK’s DNC register, known as the Telephone Preference Service (TPS) is being used by fraudsters as a source of numbers that they dial. Having set up a honeypot that included 10 TPS-registered numbers, they…

…observed a sequence of consecutive calls targeting all those numbers in order (but none of the numbers that were not registered) in an half an hour period. As the numbers registered in DNC list were randomly selected, a coincidence is highly unlikely (both probabilistically, and in terms of being a simple number range scanning attempt). Note that, except single calls to 2 of the phone numbers, these honeypot numbers did not receive any calls previously.

A key point raised by Şahin and Francillon is whether it is wise for DNC lists to be circulated freely.

In many countries, telemarketing companies are allowed to download the whole DNC list, for a few thousand Euros per year. On the other hand, some countries employ the ‘list washing’ technique, where telemarketers send their phone number lists and the DNC list maintainer cleans (or highlights) the numbers that should not be called.

If DNC lists are meant to protect members of the public then there is an obvious flaw in allowing them to be obtained and used without supervision. Why are European countries wasting their time with the General Data Protection Regulation (GDPR) when so many of them are effectively aiding criminals by giving them long lists of phone numbers and other personal details which can be abused? Şahin and Francillon take a similar view to me, noting that the download of national DNC lists:

…could put consumers’ privacy at risk, as the lists often also include additional information about consumers. The DNC list regulations usually state that the disclosure or sale of the list to external parties are not allowed. However, this may be very difficult to detect and prevent, if the lists are downloadable by third parties.

The alternative approach – list washing – is better. However…

…it can still be abused. For instance, a company with a very large target phone number list may abuse the list washing process to actually identify the DNC list numbers.

Ordinary people are entitled to privacy at all levels. That means they should be free to enjoy their privacy without being hounded by unwanted marketing calls. This also means their personal data should not be passed around carelessly from organization to organization. The irony here is that authorities are pursuing one kind of privacy in such a slapdash manner that they have put the other kind of privacy at risk. And the consequence is grim: when serial fraudsters obtain all the personal information captured on a national DNC register, the purpose of that register is lost, and the people listed are at heightened risk.

With so many European data protection authorities posturing about the importance of protecting personal data, it beggars belief that this obvious anomaly is not given more scrutiny. Merve Şahin told me she is reaching out to telco regulators in the hopes of drawing their attention to the issues. I wish her luck.

You will find Şahin and Francillon’s research paper on the effectiveness of DNC registers by looking here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.